3.1.18 has a weight of -5 points
(Access Control Family) 18/22
Control connection of mobile devices
Video:
Example of Sysytem Security Plan (SSP):
System Security Plan (SSP) for [Organization Name]
1. Introduction
This System Security Plan outlines the organization’s approach to securing its network and the measures taken to protect Controlled Unclassified Information (CUI) within the Cybersecurity Maturity Model Certification NIST 800-171 framework.
2. Wireless Network Access Controls
2.1 Authorization: Only authorized users with the wireless password can access the organization’s wireless network. Permissions are granted directly by the IT department.
2.2 Device Ownership: All authorized mobile devices must be company-owned. Personal devices are not permitted to access the network.
2.3 Remote Management: Authorized mobile devices utilize remote wipe and remote management capability, allowing the IT department to control all aspects of the connection.
2.4 Conditional Access: Microsoft Intune is utilized to control the connection of Windows laptops to the secured environment, determining whether a connection should be allowed or denied based on specific criteria.
2.5 Mobile Device Restrictions: Mobile phones and other mobile devices are explicitly not authorized to connect to any other environment that holds CUI.
3. Compliance
This SSP is in alignment with the guidelines and standards set forth in the Nist 800-171 framework for the protection of Controlled Unclassified Information.
4. Responsibilities
Both the IT Department and employees have shared responsibilities in implementing, maintaining, and adhering to these security measures.
5. Review and Updates
Ongoing monitoring, audits, and necessary revisions will be carried out to ensure compliance and effectiveness.
6. Approval
This SSP is approved by: [Name, Title]
Signature: ________________________ Date: _______________
Example of Plan of Action and Milestones ( POA & M):
Plan of Action and Milestones (POA&M) for [Organization Name]
Wireless Network Access Controls
| Task Description | Responsible Party | Resources Needed | Target Completion Date | Status | Remarks |
|---|---|---|---|---|---|
| Implement Wireless Password Authentication | IT Department | IT Staff, Tools | MM/DD/YYYY | In Progress | Ensuring that only authorized users have access to the wireless network |
| Acquire Company-Owned Mobile Devices | IT Department | Budget, Vendor | MM/DD/YYYY | Completed | Replacing personal devices with company-owned devices |
| Implement Remote Wipe and Management | IT Department | IT Staff, Tools | MM/DD/YYYY | In Progress | Implementing control over devices through remote management |
| Configure Microsoft Intune for Conditional Access | IT Department | IT Staff, Licenses | MM/DD/YYYY | Planned | Planning to use Intune for controlling laptop connections |
| Establish Policy for Mobile Device Restrictions | IT Department & Management | Policy Development Staff | MM/DD/YYYY | Completed | Policy in place restricting mobile devices from CMMC environment |
Approval:
[Name, Title] Signature: ________________________ Date: _______________
Review Dates:
- Next Review: MM/DD/YYYY
- Following Review: MM/DD/YYYY
Additional Notes:
- Continuous monitoring is required to ensure compliance with the newly implemented policies.
- Ongoing training may be necessary for staff to understand and comply with these policies.
RELEVANT INFORMATION:
A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the device to capture information, or built-in features for synchronizing local data with remote locations. Examples of mobile devices include smartphones, e-readers, and tablets. Due to the large variety of mobile devices with different technical characteristics and capabilities, organizational restrictions may vary for the different types of devices. Usage restrictions and implementation guidance for mobile devices include: device identification and authentication; configuration management; implementation of mandatory protective software (e.g., malicious code detection, firewall); scanning devices for malicious code; updating virus protection software; scanning for critical software updates and patches; conducting primary operating system (and possibly other resident software) integrity checks; and disabling unnecessary hardware (e.g., wireless, infrared). The need to provide adequate security for mobile devices goes beyond this requirement. Many controls for mobile devices are reflected in other CUI security requirements. [SP 800-124] provides guidance on mobile device security.
Resources to consider:
Security Policy Document:
This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.
Asset Inventory and Access Control Sheet:
Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.
User Account Management Log:
Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.
Password and Multi-Factor Authentication Policy:
Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.
Process and Script Accountability Log:
Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.
Device Access Control and VPN Policy:
Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.
Access Control Review and Monitoring Schedule:
Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.
User Training and Awareness Materials:
Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.